Re: [exim] Does exim4's `${sqlite_quote ... }` expansion de-…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Andrew C Aitchison
Date:  
À: Nick
CC: exim-users
Sujet: Re: [exim] Does exim4's `${sqlite_quote ... }` expansion de-taint the expanded value?
On Fri, 19 Aug 2022, Andrew C Aitchison via Exim-users wrote:

> On Fri, 19 Aug 2022, Nick via Exim-users wrote:
>
>> Hello Exim users,
>>
>> I've a problem with Sqlite lookups and tainting. I've composed a question
>> on Stack Exchange, since it's easier to access than this list (and I forgot
>> i was already subscribed here long ago!)
>>
>> https://serverfault.com/questions/1108609/does-exim4s-sqlite-quote-expansion-de-taint-the-expanded-value
>>
>> Quoting that here:
>>
>>> I'm upgrading an exim4 installation which has some custom filters,
>>> to Debian 11. (Specifically, the filters are this
>>> <https://github.com/wu-lee/exim-disposable-aliases>.)
>>>
>>> Since that uses Exim 4.94, I've now run into the new-ish "tainted variables"
>>> <https://www.exim.org/exim-html-current/doc/html/spec_html/ch-concept_index.html>
>>> feature, which has broken my filter.


Exim 4.96 has more tainting features than 4.94.
If you have access to 4.96, I would test against the newest version.

-- 
Andrew C. Aitchison                      Kendal, UK
                    andrew@???